DVS: Verify certificate on vCenter connections

The DVS driver was not validating the vCenter certificate.  This
patch utilizes the function already available in oslo.vmware to
verify certs.

DocImpact:
This introduces two config options: cafile and insecure.

Change-Id: I3162437f219946e0acfa63ff0ae35f36a7e3bba7
Closes-Bug: #1487962
This commit is contained in:
Eric Brown 2015-08-23 22:36:11 -07:00 committed by Gary Kotton
parent 8b6d8f798d
commit f4a031fd02
3 changed files with 19 additions and 2 deletions

View File

@ -85,6 +85,8 @@ function neutron_plugin_configure_service {
iniset /$Q_PLUGIN_CONF_FILE dvs host_ip "$VMWAREAPI_IP"
iniset /$Q_PLUGIN_CONF_FILE dvs host_username "$VMWAREAPI_USER"
iniset /$Q_PLUGIN_CONF_FILE dvs host_password "$VMWAREAPI_PASSWORD"
iniset /$Q_PLUGIN_CONF_FILE dvs ca_file "$VMWAREAPI_CA_FILE"
iniset /$Q_PLUGIN_CONF_FILE dvs insecure "$VMWAREAPI_INSECURE"
iniset /$Q_PLUGIN_CONF_FILE dvs dvs_name "$VMWARE_DVS_NAME"
}

View File

@ -29,6 +29,15 @@ dvs_opts = [
cfg.FloatOpt('task_poll_interval',
default=0.5,
help='The interval used for polling of remote tasks.'),
cfg.StrOpt('ca_file',
help='Specify a CA bundle file to use in verifying the '
'vCenter server certificate.'),
cfg.BoolOpt('insecure',
default=False,
help='If true, the vCenter server certificate is not '
'verified. If false, then the default CA truststore is '
'used for verification. This option is ignored if '
'"ca_file" is set.'),
cfg.IntOpt('api_retry_count',
default=10,
help='The number of times we retry on failures, e.g., '
@ -53,7 +62,9 @@ def dvs_create_session():
CONF.dvs.host_password,
CONF.dvs.api_retry_count,
CONF.dvs.task_poll_interval,
port=CONF.dvs.host_port)
port=CONF.dvs.host_port,
cacert=CONF.dvs.ca_file,
insecure=CONF.dvs.insecure)
def dvs_name_get():

View File

@ -35,6 +35,8 @@ class DvsUtilsTestCase(base.BaseTestCase):
group='dvs')
cfg.CONF.set_override('dvs_name', 'fake_dvs', group='dvs')
cfg.CONF.set_override('host_port', '443', group='dvs')
cfg.CONF.set_override('ca_file', 'cacert', group='dvs')
cfg.CONF.set_override('insecure', False, group='dvs')
def test_dvs_set(self):
self._dvs_fake_cfg_set()
@ -49,7 +51,9 @@ class DvsUtilsTestCase(base.BaseTestCase):
cfg.CONF.dvs.host_password,
cfg.CONF.dvs.api_retry_count,
cfg.CONF.dvs.task_poll_interval,
port=cfg.CONF.dvs.host_port)
port=cfg.CONF.dvs.host_port,
cacert=cfg.CONF.dvs.ca_file,
insecure=cfg.CONF.dvs.insecure)
def test_dvs_name_get(self):
cfg.CONF.set_override('dvs_name', 'fake-dvs', group='dvs')